From owner-freebsd-ipfw@FreeBSD.ORG  Sat Jan  8 14:30:57 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F262710656A4;
	Sat,  8 Jan 2011 14:30:57 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 2256F8FC0C;
	Sat,  8 Jan 2011 14:30:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p08EUsdJ082743;
	Sun, 9 Jan 2011 01:30:54 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sun, 9 Jan 2011 01:30:54 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: freebsd-ipfw@freebsd.org
In-Reply-To: <20110108141111.A15397@sola.nimnet.asn.au>
Message-ID: <20110108220300.Q15397@sola.nimnet.asn.au>
References: <20101223233437.Q27345@sola.nimnet.asn.au>
	<AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A@mail.gmail.com>
	<20110108141111.A15397@sola.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-401406621-1294486097=:15397"
Content-ID: <20110108223354.W15397@sola.nimnet.asn.au>
Cc: Brandon Gooch <jamesbrandongooch@gmail.com>,
	Thomas Sandford <freebsduser@paradisegreen.co.uk>,
	hrs@freebsd.org, David Naylor <naylor.b.david@gmail.com>
Subject: Re: Request for policy decision: kernel nat vs/and/or natd
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jan 2011 14:30:58 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-401406621-1294486097=:15397
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <20110108223354.S15397@sola.nimnet.asn.au>

On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote:
 > On Fri, 7 Jan 2011, Brandon Gooch wrote:
 >  > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi@nimnet.asn.au> wrote:
[..]
 >  > > We could:
 >  > >
 >  > > 1) Preference kernel nat over natd when both are enabled.
 >  > 
 >  > I vote for #1.
 > 
 > Thanks.  So far, that makes an overwhelming majority of 2 / NIL :)
 > 
 > I see that hrs@freebsd.org has just grabbed two related PRs:
 > 
 > kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup
 > conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
 > 
 > so this seems a good time to work up patches to that effect for review 
 > (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time.

Ok, the attached patches are against HEAD, which is currently identical 
to 8-STABLE for these files.  rc.d_ipfw.patch also applies to 7-STABLE 
with an offset but rc.firewall.patch needs more work for 7.  I've no box 
on which to actually run-test tonight, and will be away for a few days.

/etc/rc.d/ipfw:
 . prefer kernel nat (loading ipfw_nat) to natd when both are enabled
 . add ipdivert to required_modules - when only natd is enabled - as
   proposed by Thomas Sandford in conf/153155 and also re kern/148928
   also fixing the related issue in conf/148137 (and possibly others)
 . prefix /etc/rc.d/natd to firewall_coscripts when only natd is enabled

/etc/rc.d/natd:
 . seems nothing is needed; has KEYWORD nostart and so should only be 
   started now by ipfw when natd - but not firewall_nat - is enabled

/etc/rc.firewall:
 . move firewall_nat and natd code into a function, setup_nat() 
   preferring kernel firewall_nat to natd if both are enabled
 . couldn't resist tidying up that code to within 80 columns
 . call setup_nat also in 'simple' ruleset, with same intent as
   proposed in conf/148144 by David Naylor
 . couldn't resist fixing unnecessarily long line in 'workstation'

I've resisted other patches (enabling icmp) that I added to conf/148144 
for which I apologise to David; one thing at a time ..

If folks prefer that this be submitted as yet another PR, please say.

cheers, Ian
--0-401406621-1294486097=:15397
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.d_ipfw.patch
Content-Transfer-Encoding: BASE64
Content-ID: <20110108222817.C15397@sola.nimnet.asn.au>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME=rc.d_ipfw.patch

LS0tIHJjLmRfaXBmdy4xLjI0CVNhdCBKYW4gIDggMTg6MTM6NDYgMjAxMQ0K
KysrIGlwZncJU2F0IEphbiAgOCAyMTowMDoxOCAyMDExDQpAQCAtMjcsOSAr
MjcsOSBAQA0KIAlmaQ0KIA0KIAlpZiBjaGVja3llc25vIGZpcmV3YWxsX25h
dF9lbmFibGU7IHRoZW4NCi0JCWlmICEgY2hlY2t5ZXNubyBuYXRkX2VuYWJs
ZTsgdGhlbg0KLQkJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1aXJlZF9tb2R1
bGVzIGlwZndfbmF0Ig0KLQkJZmkNCisJCXJlcXVpcmVkX21vZHVsZXM9IiRy
ZXF1aXJlZF9tb2R1bGVzIGlwZndfbmF0Ig0KKwllbGlmIGNoZWNreWVzbm8g
bmF0ZF9lbmFibGU7IHRoZW4NCisJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1
aXJlZF9tb2R1bGVzIGlwZGl2ZXJ0Ig0KIAlmaQ0KIH0NCiANCkBAIC0xMDUs
NiArMTA1LDcgQEANCiB9DQogDQogbG9hZF9yY19jb25maWcgJG5hbWUNCi1m
aXJld2FsbF9jb3NjcmlwdHM9Ii9ldGMvcmMuZC9uYXRkICR7ZmlyZXdhbGxf
Y29zY3JpcHRzfSINCitjaGVja3llc25vIG5hdGRfZW5hYmxlICYmICEgY2hl
Y2t5ZXNubyBmaXJld2FsbF9uYXRfZW5hYmxlICYmIFwNCisJZmlyZXdhbGxf
Y29zY3JpcHRzPSIvZXRjL3JjLmQvbmF0ZCAke2ZpcmV3YWxsX2Nvc2NyaXB0
c30iDQogDQogcnVuX3JjX2NvbW1hbmQgJCoNCg==

--0-401406621-1294486097=:15397
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.firewall.patch
Content-Transfer-Encoding: BASE64
Content-ID: <20110108222817.B15397@sola.nimnet.asn.au>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME=rc.firewall.patch

LS0tIHJjLmZpcmV3YWxsLjEuNjkJU2F0IEphbiAgOCAxODowNDoyOCAyMDEx
DQorKysgcmMuZmlyZXdhbGwJU2F0IEphbiAgOCAyMToyNDo1NCAyMDExDQpA
QCAtNTIsNyArNTIsNyBAQA0KICMgICBmaWxlbmFtZSAgICAtIHdpbGwgbG9h
ZCB0aGUgcnVsZXMgaW4gdGhlIGdpdmVuIGZpbGVuYW1lIChmdWxsIHBhdGgg
cmVxdWlyZWQpDQogIw0KICMgRm9yIGBgY2xpZW50JycgYW5kIGBgc2ltcGxl
JycgdGhlIGVudHJpZXMgYmVsb3cgc2hvdWxkIGJlIGN1c3RvbWl6ZWQNCi0j
IGFwcHJvcHJpYXRlbHkuDQorIyBhcHByb3ByaWF0ZWx5IHdpdGggcmMuY29u
ZiB2YXJpYWJsZXMuDQogDQogIyMjIyMjIyMjIyMjDQogIw0KQEAgLTExMiw2
ICsxMTIsMjkgQEANCiAJJHtmd2NtZH0gYWRkIHBhc3MgaXB2Ni1pY21wIGZy
b20gYW55IHRvIGFueSBpY21wNnR5cGVzIDIsMTM1LDEzNg0KIH0NCiANCitz
ZXR1cF9uYXQgKCkgew0KKwlsb2NhbCBpZmxhZw0KKwlpZiBjaGVja3llc25v
IGZpcmV3YWxsX25hdF9lbmFibGU7IHRoZW4NCisJCWlmIFsgLW4gIiR7Zmly
ZXdhbGxfbmF0X2ludGVyZmFjZX0iIF07IHRoZW4NCisJCQlpZiBlY2hvICIk
e2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9IiB8IFwNCisJCQkJZ3JlcCAtcSAt
RSAnXlswLTldKyhcLlswLTldKyl7MCwzfSQnOyB0aGVuDQorCQkJCWlmbGFn
PSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9Ig0KKwkJCWVsc2UNCisJ
CQkJaWZsYWc9ImlmICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0iDQorCQkJ
ZmkNCisJCQlmaXJld2FsbF9uYXRfZmxhZ3M9IiRpZmxhZyAke2ZpcmV3YWxs
X25hdF9mbGFnc30iDQorCQkJJHtmd2NtZH0gbmF0IDEyMyBjb25maWcgbG9n
ICR7ZmlyZXdhbGxfbmF0X2ZsYWdzfQ0KKwkJCSR7ZndjbWR9IGFkZCAkMSBu
YXQgMTIzIGlwNCBmcm9tIGFueSB0byBhbnkgXA0KKwkJCQl2aWEgJHtmaXJl
d2FsbF9uYXRfaW50ZXJmYWNlfQ0KKwkJZmkNCisJZWxpZiBjaGVja3llc25v
IG5hdGRfZW5hYmxlOyB0aGVuDQorCQlpZiBbIC1uICIke25hdGRfaW50ZXJm
YWNlfSIgXTsgdGhlbg0KKwkJCSR7ZndjbWR9IGFkZCAkMSBkaXZlcnQgbmF0
ZCBpcDQgZnJvbSBhbnkgdG8gYW55IFwNCisJCQkJdmlhICR7bmF0ZF9pbnRl
cmZhY2V9DQorCQlmaQ0KKwlmaQ0KK30NCisNCiBpZiBbIC1uICIkezF9IiBd
OyB0aGVuDQogCWZpcmV3YWxsX3R5cGU9IiR7MX0iDQogZmkNCkBAIC0xNDIs
MzcgKzE2NSwxNyBAQA0KIHNldHVwX2lwdjZfbWFuZGF0b3J5DQogDQogIyMj
IyMjIyMjIyMjDQotIyBOZXR3b3JrIEFkZHJlc3MgVHJhbnNsYXRpb24uICBB
bGwgcGFja2V0cyBhcmUgcGFzc2VkIHRvIG5hdGQoOCkNCi0jIGJlZm9yZSB0
aGV5IGVuY291bnRlciB5b3VyIHJlbWFpbmluZyBydWxlcy4gIFRoZSBmaXJl
d2FsbCBydWxlcw0KLSMgd2lsbCB0aGVuIGJlIHJ1biBhZ2FpbiBvbiBlYWNo
IHBhY2tldCBhZnRlciB0cmFuc2xhdGlvbiBieSBuYXRkDQotIyBzdGFydGlu
ZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBkaXZlcnQgcnVs
ZS4NCisjIE5ldHdvcmsgQWRkcmVzcyBUcmFuc2xhdGlvbi4gIEFsbCBwYWNr
ZXRzIGFyZSBwYXNzZWQgdG8ga2VybmVsIG5hdA0KKyMgb3IgbmF0ZCg4KSBi
ZWZvcmUgdGhleSBlbmNvdW50ZXIgeW91ciByZW1haW5pbmcgcnVsZXMuICBU
aGUgZmlyZXdhbGwNCisjIHJ1bGVzIHdpbGwgdGhlbiBiZSBydW4gYWdhaW4g
b24gZWFjaCBwYWNrZXQgYWZ0ZXIgTkFUIHRyYW5zbGF0aW9uDQorIyBzdGFy
dGluZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBuYXQgb3Ig
ZGl2ZXJ0IHJ1bGUuDQogIw0KLSMgRm9yIGBgc2ltcGxlJycgZmlyZXdhbGwg
dHlwZSB0aGUgZGl2ZXJ0IHJ1bGUgc2hvdWxkIGJlIHB1dCB0byBhDQotIyBk
aWZmZXJlbnQgcGxhY2UgdG8gbm90IGludGVyZmVyZSB3aXRoIGFkZHJlc3Mt
Y2hlY2tpbmcgcnVsZXMuDQorIyBGb3IgYGBzaW1wbGUnJyBmaXJld2FsbCB0
eXBlIHRoZSBuYXQgb3IgZGl2ZXJ0IHJ1bGUgaXMgaW5zdGFsbGVkIGluDQor
IyBhIGRpZmZlcmVudCBwbGFjZSB0byBhdm9pZCBpbnRlcmZlcmluZyB3aXRo
IGFkZHJlc3MtY2hlY2tpbmcgcnVsZXMuDQogIw0KIGNhc2UgJHtmaXJld2Fs
bF90eXBlfSBpbg0KIFtPb11bUHBdW0VlXVtObl18W0NjXVtMbF1bSWldW0Vl
XVtObl1bVHRdKQ0KLQljYXNlICR7bmF0ZF9lbmFibGV9IGluDQotCVtZeV1b
RWVdW1NzXSkNCi0JCWlmIFsgLW4gIiR7bmF0ZF9pbnRlcmZhY2V9IiBdOyB0
aGVuDQotCQkJJHtmd2NtZH0gYWRkIDUwIGRpdmVydCBuYXRkIGlwNCBmcm9t
IGFueSB0byBhbnkgdmlhICR7bmF0ZF9pbnRlcmZhY2V9DQotCQlmaQ0KLQkJ
OzsNCi0JZXNhYw0KLQljYXNlICR7ZmlyZXdhbGxfbmF0X2VuYWJsZX0gaW4N
Ci0JW1l5XVtFZV1bU3NdKQ0KLQkJaWYgWyAtbiAiJHtmaXJld2FsbF9uYXRf
aW50ZXJmYWNlfSIgXTsgdGhlbg0KLQkJCWlmIGVjaG8gIiR7ZmlyZXdhbGxf
bmF0X2ludGVyZmFjZX0iIHwgXA0KLQkJCQlncmVwIC1xIC1FICdeWzAtOV0r
KFwuWzAtOV0rKXswLDN9JCc7IHRoZW4NCi0JCQkJZmlyZXdhbGxfbmF0X2Zs
YWdzPSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9ICR7ZmlyZXdhbGxf
bmF0X2ZsYWdzfSINCi0JCQllbHNlDQotCQkJCWZpcmV3YWxsX25hdF9mbGFn
cz0iaWYgJHtmaXJld2FsbF9uYXRfaW50ZXJmYWNlfSAke2ZpcmV3YWxsX25h
dF9mbGFnc30iDQotCQkJZmkNCi0JCQkke2Z3Y21kfSBuYXQgMTIzIGNvbmZp
ZyBsb2cgJHtmaXJld2FsbF9uYXRfZmxhZ3N9DQotCQkJJHtmd2NtZH0gYWRk
IDUwIG5hdCAxMjMgaXA0IGZyb20gYW55IHRvIGFueSB2aWEgJHtmaXJld2Fs
bF9uYXRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7DQotCWVzYWMNCisJc2V0
dXBfbmF0IDUwDQogZXNhYw0KIA0KICMjIyMjIyMjIyMjIw0KQEAgLTMxMSwx
MyArMzE0LDcgQEANCiAJIyB0cmFuc2xhdGVkIGJ5IG5hdGQoOCkgd291bGQg
bWF0Y2ggdGhlIGBkZW55JyBydWxlIGFib3ZlLiAgU2ltaWxhcmx5DQogCSMg
YW4gb3V0Z29pbmcgcGFja2V0IG9yaWdpbmF0ZWQgZnJvbSBpdCBiZWZvcmUg
YmVpbmcgdHJhbnNsYXRlZCB3b3VsZA0KIAkjIG1hdGNoIHRoZSBgZGVueScg
cnVsZSBiZWxvdy4NCi0JY2FzZSAke25hdGRfZW5hYmxlfSBpbg0KLQlbWXld
W0VlXVtTc10pDQotCQlpZiBbIC1uICIke25hdGRfaW50ZXJmYWNlfSIgXTsg
dGhlbg0KLQkJCSR7ZndjbWR9IGFkZCBkaXZlcnQgbmF0ZCBpcDQgZnJvbSBh
bnkgdG8gYW55IHZpYSAke25hdGRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7
DQotCWVzYWMNCisJc2V0dXBfbmF0DQogDQogCSMgU3RvcCBSRkMxOTE4IG5l
dHMgb24gdGhlIG91dHNpZGUgaW50ZXJmYWNlDQogCSR7ZndjbWR9IGFkZCBk
ZW55IGFsbCBmcm9tIDEwLjAuMC4wLzggdG8gYW55IHZpYSAke29pZn0NCkBA
IC01MTksNyArNTE2LDcgQEANCiANCiAJIyBEZW55IGFuZCAoaWYgd2FudGVk
KSBsb2cgdGhlIHJlc3QgdW5jb25kaXRpb25hbGx5Lg0KIAlsb2c9IiINCi0J
aWYgWyAke2ZpcmV3YWxsX2xvZ2Rlbnk6LXh9ID0gIllFUyIgLW8gJHtmaXJl
d2FsbF9sb2dkZW55Oi14fSA9ICJ5ZXMiIF0gOyB0aGVuDQorCWlmIGNoZWNr
eWVzbm8gZmlyZXdhbGxfbG9nZGVueTsgdGhlbg0KIAkgIGxvZz0ibG9nIGxv
Z2Ftb3VudCA1MDAiCSMgVGhlIGRlZmF1bHQgb2YgMTAwIGlzIHRvbyBsb3cu
DQogCSAgc3lzY3RsIG5ldC5pbmV0LmlwLmZ3LnZlcmJvc2U9MSA+L2Rldi9u
dWxsDQogCWZpDQo=

--0-401406621-1294486097=:15397--